Callback phishing via Yammer comment
Detects callback scams sent through Yammer infrastructure containing suspicious payment-related keywords and phone numbers. The rule identifies messages with callback scam language patterns or multiple financial transaction terms combined with phone number patterns in the message body or subject line.
Sublime rule (View on GitHub)
1name: "Callback phishing via Yammer comment"
2description: "Detects callback scams sent through Yammer infrastructure containing suspicious payment-related keywords and phone numbers. The rule identifies messages with callback scam language patterns or multiple financial transaction terms combined with phone number patterns in the message body or subject line."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 // message from Yammer sending infratructure
8 and sender.email.domain.root_domain == 'yammer.com'
9 and length(body.current_thread.text) < 2000
10
11 // Callback Phishing
12 and (
13 any(ml.nlu_classifier(body.current_thread.text).intents,
14 .name in ("callback_scam")
15 and .confidence in ("medium", "high")
16 )
17 or 3 of (
18 strings.ilike(body.current_thread.text, '*purchase*'),
19 strings.ilike(body.current_thread.text, '*payment*'),
20 strings.ilike(body.current_thread.text, '*transaction*'),
21 strings.ilike(body.current_thread.text, '*subscription*'),
22 strings.ilike(body.current_thread.text, '*antivirus*'),
23 strings.ilike(body.current_thread.text, '*order*'),
24 strings.ilike(body.current_thread.text, '*support*'),
25 strings.ilike(body.current_thread.text, '*help line*'),
26 strings.ilike(body.current_thread.text, '*receipt*'),
27 strings.ilike(body.current_thread.text, '*invoice*'),
28 strings.ilike(body.current_thread.text, '*call*'),
29 strings.ilike(body.current_thread.text, '*cancel*'),
30 strings.ilike(body.current_thread.text, '*renew*'),
31 strings.ilike(body.current_thread.text, '*refund*')
32 )
33 )
34 // phone number regex
35 and any([body.current_thread.text, subject.subject],
36 regex.icontains(.,
37 '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
38 '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
39 )
40 )
41 // negate benign threads
42 and not any(ml.nlu_classifier(body.current_thread.text).intents,
43 .name == "benign" and .confidence == "high"
44 )
45
46attack_types:
47 - "Callback Phishing"
48tactics_and_techniques:
49 - "Impersonation: Brand"
50 - "Out of band pivot"
51 - "Social engineering"
52detection_methods:
53 - "Content analysis"
54 - "Natural Language Understanding"
55 - "Header analysis"
56id: "66650e2b-b944-5e5e-89ef-790a941f534a"